Hi, thanks for answering,
Ports 9200 and 9300 of ES are open, the client is set to use port 9200
–
elasticsearch.yml
---
cluster.name: "docker-cluster"
network.host: 0.0.0.0
discovery.zen.minimum_master_nodes: 1
discovery.type: single-node
searchguard.enterprise_modules_enabled: false
searchguard.ssl.transport.keystore_filepath: sg/node-0-keystore.jks
searchguard.ssl.transport.truststore_filepath: sg/truststore.jks
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.authcz.admin_dn:
- "CN=kirk,OU=client,O=client,l=tEst,C=De"
sg_config.yml
searchguard:
dynamic:
http:
xff:
enabled: false
authc:
basic_internal_auth_domain:
http_authenticator:
type: basic
authentication_backend:
type: intern
sg_roles.yml
sg_all_access:
readonly: true
cluster:
- UNLIMITED
indices:
'*':
'*':
- UNLIMITED
tenants:
admin_tenant: RW
sg_readall:
readonly: true
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
'*':
'*':
- READ
sg_readall_and_monitor:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS_RO
indices:
'*':
'*':
- READ
sg_kibana_user:
readonly: true
cluster:
- INDICES_MONITOR
- CLUSTER_COMPOSITE_OPS
indices:
'?kibana':
'*':
- MANAGE
- INDEX
- READ
- DELETE
'?kibana-6':
'*':
- MANAGE
- INDEX
- READ
- DELETE
'?kibana_*':
'*':
- MANAGE
- INDEX
- READ
- DELETE
'?tasks':
'*':
- INDICES_ALL
'?management-beats':
'*':
- INDICES_ALL
'*':
'*':
- indices:data/read/field_caps*
- indices:data/read/xpack/rollup*
- indices:admin/mappings/get*
- indices:admin/get
sg_kibana_server:
readonly: true
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
- cluster:admin/xpack/monitoring*
- indices:admin/template*
- indices:data/read/scroll*
indices:
'?kibana':
'*':
- INDICES_ALL
'?kibana-6':
'*':
- INDICES_ALL
'?kibana_*':
'*':
- INDICES_ALL
'?reporting*':
'*':
- INDICES_ALL
'?monitoring*':
'*':
- INDICES_ALL
'?tasks':
'*':
- INDICES_ALL
'?management-beats*':
'*':
- INDICES_ALL
'*':
'*':
- "indices:admin/aliases*"
sg_logstash:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
- indices:admin/template/get
- indices:admin/template/put
indices:
'logstash-*':
'*':
- CRUD
- CREATE_INDEX
'*beat*':
'*':
- CRUD
- CREATE_INDEX
sg_manage_snapshots:
cluster:
- MANAGE_SNAPSHOTS
indices:
'*':
'*':
- "indices:data/write/index"
- "indices:admin/create"
sg_own_index:
cluster:
- CLUSTER_COMPOSITE_OPS
indices:
'${user_name}':
'*':
- INDICES_ALL
sg_xp_monitoring:
readonly: true
cluster:
- cluster:monitor/xpack/info
- cluster:monitor/main
- cluster:admin/xpack/monitoring/bulk
indices:
'?monitor*':
'*':
- INDICES_ALL
sg_xp_alerting:
readonly: true
cluster:
- indices:data/read/scroll
- cluster:admin/xpack/watcher*
- cluster:monitor/xpack/watcher*
indices:
'?watches*':
'*':
- INDICES_ALL
'?watcher-history-*':
'*':
- INDICES_ALL
'?triggered_watches':
'*':
- INDICES_ALL
'*':
'*':
- READ
- indices:admin/aliases/get
sg_xp_machine_learning:
readonly: true
cluster:
- cluster:admin/persistent*
- cluster:internal/xpack/ml*
- indices:data/read/scroll*
- cluster:admin/xpack/ml*
- cluster:monitor/xpack/ml*
indices:
'*':
'*':
- READ
- indices:admin/get*
'?ml-*':
'*':
- "*"
sg_roles_mapping.yml
sg_all_access:
readonly: true
backendroles:
- admin
sg_logstash:
backendroles:
- logstash
sg_kibana_server:
readonly: true
users:
- kibanaserver
sg_kibana_user:
backendroles:
- kibanauser
sg_readall:
readonly: true
backendroles:
- readall
sg_manage_snapshots:
readonly: true
backendroles:
- snapshotrestore
sg_own_index:
users:
- '*'
sg_internal_users.yml.yml
admin:
readonly: true
hash: $2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG
roles:
- admin
logstash:
hash: $2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2
roles:
- logstash
kibanaserver:
readonly: true
hash: $2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H.
kibanaro:
hash: $2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC
roles:
- kibanauser
- readall
readall:
hash: $2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2
roles:
- readall
snapshotrestore:
hash: $2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W
roles:
- snapshotrestore
sg_action_groups.yml
UNLIMITED:
readonly: true
permissions:
- "*"
###### INDEX LEVEL ######
INDICES_ALL:
readonly: true
permissions:
- "indices:*"
# for backward compatibility
ALL:
readonly: true
permissions:
- INDICES_ALL
MANAGE:
readonly: true
permissions:
- "indices:monitor/*"
- "indices:admin/*"
CREATE_INDEX:
readonly: true
permissions:
- "indices:admin/create"
- "indices:admin/mapping/put"
MANAGE_ALIASES:
readonly: true
permissions:
- "indices:admin/aliases*"
# for backward compatibility
MONITOR:
readonly: true
permissions:
- INDICES_MONITOR
INDICES_MONITOR:
readonly: true
permissions:
- "indices:monitor/*"
DATA_ACCESS:
readonly: true
permissions:
- "indices:data/*"
- CRUD
WRITE:
readonly: true
permissions:
- "indices:data/write*"
- "indices:admin/mapping/put"
READ:
readonly: true
permissions:
- "indices:data/read*"
- "indices:admin/mappings/fields/get*"
DELETE:
readonly: true
permissions:
- "indices:data/write/delete*"
CRUD:
readonly: true
permissions:
- READ
- WRITE
SEARCH:
readonly: true
permissions:
- "indices:data/read/search*"
- "indices:data/read/msearch*"
- SUGGEST
SUGGEST:
readonly: true
permissions:
- "indices:data/read/suggest*"
INDEX:
readonly: true
permissions:
- "indices:data/write/index*"
- "indices:data/write/update*"
- "indices:admin/mapping/put"
- "indices:data/write/bulk*"
GET:
readonly: true
permissions:
- "indices:data/read/get*"
- "indices:data/read/mget*"
CLUSTER_ALL:
readonly: true
permissions:
- "cluster:*"
CLUSTER_MONITOR:
readonly: true
permissions:
- "cluster:monitor/*"
CLUSTER_COMPOSITE_OPS_RO:
readonly: true
permissions:
- "indices:data/read/mget"
- "indices:data/read/msearch"
- "indices:data/read/mtv"
- "indices:data/read/coordinate-msearch*"
- "indices:admin/aliases/exists*"
- "indices:admin/aliases/get*"
- "indices:data/read/scroll"
CLUSTER_COMPOSITE_OPS:
readonly: true
permissions:
- "indices:data/write/bulk"
- "indices:admin/aliases*"
- "indices:data/write/reindex"
- CLUSTER_COMPOSITE_OPS_RO
MANAGE_SNAPSHOTS:
readonly: true
permissions:
- "cluster:admin/snapshot/*"
- "cluster:admin/repository/*"
trustore.jks
Nom d'alias : root-ca-chain
Date de création : 5 mai 2018
Type d'entrée : trustedCertEntry
Propriétaire : CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com
Emetteur : CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com
Numéro de série : 1
Valide du Sat May 05 16:37:08 CEST 2018 au Thu May 04 16:37:08 CEST 2028
Empreintes du certificat :
SHA 1: 88:48:14:ED:9B:8E:AE:67:7A:FA:4E:9C:F7:6E:B2:8A:BE:79:D5:67
SHA 256: CE:31:A5:D1:66:B7:8B:BF:D3:32:0F:BB:3B:49:0C:B2:42:CD:49:0B:7D:61:58:18:FC:D3:7E:63:AF:2E:82:89
Nom de l'algorithme de signature : SHA256withRSA
Algorithme de clé publique du sujet : Clé RSA 2048 bits
Version : 3
Extensions :
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 5B C7 B9 B0 46 EE FF F6 42 E6 5E E4 CF 12 F8 57 [...F...B.^....W
0010: 4C 6A 30 15 Lj0.
]
]
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 5B C7 B9 B0 46 EE FF F6 42 E6 5E E4 CF 12 F8 57 [...F...B.^....W
0010: 4C 6A 30 15 Lj0.
]
]
*******************************************
*******************************************
kirkstore.jsk
Nom d'alias : kirk
Date de création : 5 mai 2018
Type d'entrée : PrivateKeyEntry
Longueur de chaîne du certificat : 3
Certificat[1]:
Propriétaire : CN=kirk, OU=client, O=client, L=Test, C=DE
Emetteur : CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com
Numéro de série : 8
Valide du Sat May 05 16:37:16 CEST 2018 au Tue May 02 16:37:16 CEST 2028
Empreintes du certificat :
SHA 1: 6E:0E:84:11:74:CF:5F:8E:EC:55:99:DF:D4:3B:66:28:1E:24:E2:B7
SHA 256: 1B:97:6A:DF:B3:4C:66:BE:C4:DB:3D:29:65:FC:FF:4F:2B:38:6C:55:05:E5:B2:B8:44:5E:35:A4:FE:A2:C5:89
Nom de l'algorithme de signature : SHA256withRSA
Algorithme de clé publique du sujet : Clé RSA 2048 bits
Version : 3
Extensions :
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 94 77 E2 93 31 0B 3F B6 E7 CB E5 8E 6A 44 A4 C4 .w..1.?.....jD..
0010: E3 04 C1 E0 ....
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: https://raw.githubusercontent.com/floragunncom/unittest-assets/master/revoked.crl]
]]
#4: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
#5: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
#6: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 39 7C F6 B5 FB 49 2E 05 97 FA 1C 1B B4 99 88 B4 9....I..........
0010: 2D 27 27 C7 -''.
]
]
Certificat[2]:
Propriétaire : CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com
Emetteur : CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com
Numéro de série : 2
Valide du Sat May 05 16:37:08 CEST 2018 au Thu May 04 16:37:08 CEST 2028
Empreintes du certificat :
SHA 1: 22:86:BF:91:83:D9:FA:30:FB:34:35:04:7A:75:57:7D:24:95:C5:49
SHA 256: 4E:BE:1F:75:3D:D4:92:53:7B:74:C7:0A:6A:3D:57:14:A2:C7:01:ED:06:B0:E0:BC:8F:7F:C6:6F:87:8E:E3:5E
Nom de l'algorithme de signature : SHA256withRSA
Algorithme de clé publique du sujet : Clé RSA 2048 bits
Version : 3
Extensions :
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 5B C7 B9 B0 46 EE FF F6 42 E6 5E E4 CF 12 F8 57 [...F...B.^....W
0010: 4C 6A 30 15 Lj0.
]
]
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 94 77 E2 93 31 0B 3F B6 E7 CB E5 8E 6A 44 A4 C4 .w..1.?.....jD..
0010: E3 04 C1 E0 ....
]
]
Certificat[3]:
Propriétaire : CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com
Emetteur : CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com
Numéro de série : 1
Valide du Sat May 05 16:37:08 CEST 2018 au Thu May 04 16:37:08 CEST 2028
Empreintes du certificat :
SHA 1: 88:48:14:ED:9B:8E:AE:67:7A:FA:4E:9C:F7:6E:B2:8A:BE:79:D5:67
SHA 256: CE:31:A5:D1:66:B7:8B:BF:D3:32:0F:BB:3B:49:0C:B2:42:CD:49:0B:7D:61:58:18:FC:D3:7E:63:AF:2E:82:89
Nom de l'algorithme de signature : SHA256withRSA
Algorithme de clé publique du sujet : Clé RSA 2048 bits
Version : 3
Extensions :
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 5B C7 B9 B0 46 EE FF F6 42 E6 5E E4 CF 12 F8 57 [...F...B.^....W
0010: 4C 6A 30 15 Lj0.
]
]
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 5B C7 B9 B0 46 EE FF F6 42 E6 5E E4 CF 12 F8 57 [...F...B.^....W
0010: 4C 6A 30 15 Lj0.
]
]
*******************************************
*******************************************
node-0-keystore.jks
Nom d'alias : node-0
Date de création : 5 mai 2018
Type d'entrée : PrivateKeyEntry
Longueur de chaîne du certificat : 3
Certificat[1]:
Propriétaire : CN=node-0.example.com, OU=SSL, O=Test, L=Test, C=DE
Emetteur : CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com
Numéro de série : 1
Valide du Sat May 05 16:37:09 CEST 2018 au Tue May 02 16:37:09 CEST 2028
Empreintes du certificat :
SHA 1: 55:A2:56:D5:8D:61:71:8D:D6:CC:63:B3:4C:17:4A:63:F0:25:97:D4
SHA 256: 69:91:03:9F:12:1E:DC:02:88:3D:23:74:58:4F:20:FC:D9:44:C0:77:DD:D6:8E:18:10:C6:BC:90:FC:3E:04:17
Nom de l'algorithme de signature : SHA256withRSA
Algorithme de clé publique du sujet : Clé RSA 2048 bits
Version : 3
Extensions :
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 94 77 E2 93 31 0B 3F B6 E7 CB E5 8E 6A 44 A4 C4 .w..1.?.....jD..
0010: E3 04 C1 E0 ....
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: https://raw.githubusercontent.com/floragunncom/unittest-assets/master/revoked.crl]
]]
#4: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
#5: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
#6: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: node-0.example.com
DNSName: localhost
IPAddress: 127.0.0.1
OIDName: 1.2.3.4.5.5
]
#7: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 7C 5C 3A EA A6 65 AC 10 6A 66 9D F3 F7 B0 87 45 .\:..e..jf.....E
0010: 4C E6 7B 5C L..\
]
]
Certificat[2]:
Propriétaire : CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com
Emetteur : CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com
Numéro de série : 2
Valide du Sat May 05 16:37:08 CEST 2018 au Thu May 04 16:37:08 CEST 2028
Empreintes du certificat :
SHA 1: 22:86:BF:91:83:D9:FA:30:FB:34:35:04:7A:75:57:7D:24:95:C5:49
SHA 256: 4E:BE:1F:75:3D:D4:92:53:7B:74:C7:0A:6A:3D:57:14:A2:C7:01:ED:06:B0:E0:BC:8F:7F:C6:6F:87:8E:E3:5E
Nom de l'algorithme de signature : SHA256withRSA
Algorithme de clé publique du sujet : Clé RSA 2048 bits
Version : 3
Extensions :
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 5B C7 B9 B0 46 EE FF F6 42 E6 5E E4 CF 12 F8 57 [...F...B.^....W
0010: 4C 6A 30 15 Lj0.
]
]
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 94 77 E2 93 31 0B 3F B6 E7 CB E5 8E 6A 44 A4 C4 .w..1.?.....jD..
0010: E3 04 C1 E0 ....
]
]
Certificat[3]:
Propriétaire : CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com
Emetteur : CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com
Numéro de série : 1
Valide du Sat May 05 16:37:08 CEST 2018 au Thu May 04 16:37:08 CEST 2028
Empreintes du certificat :
SHA 1: 88:48:14:ED:9B:8E:AE:67:7A:FA:4E:9C:F7:6E:B2:8A:BE:79:D5:67
SHA 256: CE:31:A5:D1:66:B7:8B:BF:D3:32:0F:BB:3B:49:0C:B2:42:CD:49:0B:7D:61:58:18:FC:D3:7E:63:AF:2E:82:89
Nom de l'algorithme de signature : SHA256withRSA
Algorithme de clé publique du sujet : Clé RSA 2048 bits
Version : 3
Extensions :
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 5B C7 B9 B0 46 EE FF F6 42 E6 5E E4 CF 12 F8 57 [...F...B.^....W
0010: 4C 6A 30 15 Lj0.
]
]
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 5B C7 B9 B0 46 EE FF F6 42 E6 5E E4 CF 12 F8 57 [...F...B.^....W
0010: 4C 6A 30 15 Lj0.
]
]
*******************************************
*******************************************